upper right bubble
ephort logo
lower left bubble

Security Headers


Security headers – intro

HTTP response headers is an essential part of any website out there, and it is therefore important to make sure you have and are using the right once. Here I will go through the 6 security headers that are essential and talk about why and how to implement them into your page.
To help with your headers we have created a scanner, that can help you get a overview on headers your page are missing. You can try the scanner here.

X-Frame-Options – Clickjacking

Clickjacking is a method that tricks the user into thinking they are clicking on one thing when they are actually clicking on another. This is also known as user interface redressing. The user think they are using a web pages normal UI, but instead they are using a hidden transparent one. This Is possible because of HTML frames, also called iframes, which gives the ability to render a webpage within other webpages trough frames. This kind of attack is dangerous especially because the user never knows they are clicking something else, and this can lead to installing malware or stealing credentials such as credit card information. Luckily there are a simple solution to barricade your webpage from this, depending on what you use. You need to locate the config file for the server and add the following:
Nginx: nginx-x-frame-option-example

Content-Security-Policy – x-frame-options big brother

This is also a method of securing yourself vs Clickjacking. CSP is a more modern approach to the problem, that enables feature that X-frame does not provide, let's have a look at some of them. CSP frame ancestors can run in Report-Only Mode, this is essential for protecting your system while it's in production without causing regressions. CSP can also send violation report, this is important for mapping out risks and observing traffic, if you are in monitoring or enforced mode. CSP is also more flexible, since it allows for custom domains as a parameter for the header. This was earlier supported in XFO, but does not work in modern browsers, without using CSP. The best protection for your webpage is to use both headers, this is because less than 5% of web traffic does not support the use of CSP, therefor XFO is still necessary. While CSP is a little trickier to implement into your application, it's definitely worth it. We recommend using a Spatie Laravel package which you can find the instructions for here:
Spatie CSP package

X-Content-Type-Options - MIME sniffing

MIME sniffing is the process used by web browsers to determine the file type of a resource (such as an image or a video) that is being downloaded from a server, when the server has not provided explicit information about the file type. MIME stands for Multipurpose Internet Mail Extensions, which is a standard that defines the types of files that can be sent over the Internet. Each file type has a corresponding MIME type, such as image/png for PNG images, text/html for HTML documents, and application/pdf for PDF files. Sometimes, a web server may not provide the correct MIME type for a resource or may not provide any MIME type at all. In these cases, the web browser will attempt to guess the file type using a technique called MIME sniffing. MIME sniffing works by examining the first few bytes of the file to look for patterns that are characteristic of certain file types. For example, an image file usually starts with a header that contains information about the image size, format, and other metadata. By looking at this header, the browser can determine that the file is an image and then display it accordingly. While MIME sniffing can be useful in some cases, it can also be a security risk, as it can be used to execute malicious code on a user's computer. To mitigate this risk, you should use the X-Content-Type-Option header. This is done by adding the following to your server configuration:
Nginx: nginx-x-frame-option-example

Strict-Transport-Security - man-in-the-middle attacks

Strict Transport Security (HSTS) is a security mechanism used by web servers to instruct web browsers to always use a secure HTTPS connection when communicating with the server. This mechanism helps prevent man-in-the-middle attacks, where an attacker intercepts and modifies the communication between a web browser and a server. When a server sets an HSTS policy, it sends a response header to the web browser that includes a directive telling the browser to always use HTTPS for future requests to the same domain. The header also includes a max-age parameter that specifies the amount of time, in seconds, that the browser should continue to use HTTPS for future requests to the domain, even if the user type http:// instead of https:// in the URL. HSTS helps prevent attacks such as SSL stripping, where an attacker intercepts the initial HTTP request and prevents the browser from upgrading to a secure HTTPS connection, and SSL spoofing, where an attacker presents a fake SSL certificate to the browser to intercept communication. By enforcing HTTPS for all communication with the server, HSTS ensures that all data transmitted between the browser and the server is encrypted and secure. To enable HSTS, the web server must send the HSTS header in the response to the browser, this is done in the server config file by adding the following:
Nginx: nginx-x-frame-option-example

Referrer-Policy - Cross-site request forgery (CSRF)

The Referrer-Policy HTTP header is used to control the information that is sent in the Referrer header when a user navigates from one page to another by clicking on a link. The Referrer header contains the URL of the previous page and is sent in the HTTP request header when a user clicks on a link to navigate to a new page. The Referrer-Policy header allows you to control how much information is sent in the Referrer header and can help protect user privacy and prevent information leakage. RP protects Cross-site request forgery (CSRF) attacks: These attacks involve tricking a user into performing an action on a website without their knowledge or consent, by submitting a request from a different website where the user is logged in. If the user's browser sends the Referrer header in the request, the receiving website can check whether the Referrer header matches the expected value and reject the request if it doesn't. This is known as the "same-origin policy" and is a fundamental security mechanism in web browsers. To add this header to your server, you need to add the following to the server config file:
Nginx: nginx-x-frame-option-example

Permissions-Policy – Cross-site scripting and Cross-site request forgery

The Permissions-Policy header is a new HTTP response header that allows web developers to control which browser features and APIs are allowed to be used on their website. This header can be used to enforce security and privacy policies, restrict access to sensitive APIs, and prevent malicious or abusive behaviour on the web. The Permissions-Policy header works by defining a set of policies that specify which features and APIs are allowed or disallowed on the website. These policies are communicated to the user's browser in the HTTP response header, and the browser then enforces them by restricting access to the specified features and APIs. For example, you can use the Permissions-Policy header to restrict access to sensitive APIs, such as the camera or microphone, by setting the camera and microphone policies to none or disable geolocation by adding this to your server config file:
Nginx: nginx-permissions-policy


Security headers are important to use on your webpage because they help protect against a variety of attacks and vulnerabilities, including cross-site scripting (XSS), clickjacking, cross-site request forgery (CSRF), and content injection attacks. By adding security headers to your website, you can improve its overall security and protect your users' data and privacy. Additionally, using security headers is a best practice recommended by security experts and can help you comply with various security standards and regulations.

The long version

Security headers are HTTP response headers that can be added to your website's HTTP response to help protect against various attacks and vulnerabilities. These headers instruct the user's browser to take certain security measures, such as blocking certain types of content or enforcing secure communication protocols. By adding security headers to your website, you can improve its overall security and protect your users' data and privacy. For example, the X-XSS-Protection header can help prevent cross-site scripting (XSS) attacks by telling the user's browser to block any pages that contain malicious scripts, while the Strict-Transport-Security header can help prevent man-in-the-middle attacks by requiring all communication with your website to be encrypted over HTTPS. Using security headers is also a best practice recommended by security experts and can help you comply with various security standards and regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires the use of certain security headers, such as the Content-Security-Policy header, in order to comply with its security requirements. Overall, using security headers is an important step in securing your website and protecting your users' data and privacy. While they are not a silver bullet and should be used in combination with other security measures, such as secure coding practices and regular security audits, they are an effective and easy-to-implement way to improve the security of your website.

Få en uforpligtende snak

Rune Due Møller

Rune Due Møller

Partner og direktør

Du er velkommen til at ringe direkte til mig på +45 30 95 99 93 eller skrive en mail på rune@ephort.dk

Du kan også udfylde formularen, så kontakter jeg dig hurtigst muligt.